CVE CyberSecurity Database News

CVE-2023-47847 - Exploiting the Missing Authorization in PayTR Taksit Tablosu (Up to 1.3.1)

Poster -

PayTR is a well-known payment gateway in Turkey, widely used by local e-commerce sites. In late 2023, a significant security flaw was discovered in one of its popular plugins, PayTR Taksit Tablosu, affecting all versions up to and including 1.3.1. The bug, officially tracked as CVE-2023-47847, allows attackers to bypass critical access controls and potentially extract or manipulate sensitive information by exploiting missing authorization checks.

TL;DR

CVE-2023-47847: A missing authorization bug in PayTR Taksit Tablosu lets anyone, including unauthenticated users, access endpoints that should only be available to admins. This misconfiguration could allow an attacker to extract sensitive payment options information or even manipulate them.

What is PayTR Taksit Tablosu?

PayTR Taksit Tablosu is a WordPress/WooCommerce plugin which displays installment (taksit) tables for credit card payments. Merchants use this to show customers what their monthly payments would be. The problem is, by default, sensitive endpoints in the plugin are not protected by user authorization.

Where’s the Problem?

While analyzing versions up to 1.3.1, researchers found that REST API endpoints provided by the plugin do not check if the requesting user is authenticated, nor do they validate if the user has admin or shop manager privileges.

When any visitor calls the endpoint (in standard setups, something like /wp-json/paytr/v1/table), the plugin returns detailed payment data, possibly including installment options, merchant codes, and store-specific configurations.

Vulnerable Code Example

The following is a stripped-down code snippet of the plugin’s route registration (simplified for illustration):

add_action('rest_api_init', function(){
    register_rest_route('paytr/v1', '/table', array(
        'methods' => 'GET',
        'callback' => 'paytr_get_installment_table'
        // Notice: No 'permission_callback'
    ));
});

function paytr_get_installment_table( $request ) {
   // ... fetches and returns installment data
}

What’s Missing?

The permission_callback is missing. WordPress REST endpoints need this to check if the user has the right permissions.

A secure route registration should look like

register_rest_route('paytr/v1', '/table', array(
    'methods' => 'GET',
    'callback' => 'paytr_get_installment_table',
    'permission_callback' => function() {
        return current_user_can('manage_options'); // or another suitable capability
    }
));

Without this, anyone (even if not logged in) can access the callback.

Any attacker or visitor can scan public WordPress sites for this plugin endpoint

curl https://[victim-site]/wp-json/paytr/v1/table

2. Data Extraction

A successful response reveals internal payment configuration, and potentially business-sensitive information.

Example Response

{
  "installments": [
    { "period": 2, "rate": 2. },
    { "period": 3, "rate": 3. }
  ],
  "storeId": "xxx123456",
  "merchantCode": "merchant-secret-code"
  // ...other config
}

Depending on plugin setup, leaking storeId or merchantCode could be the first step towards more damaging attacks.

3. (Optional) Manipulation

If any POST, PUT, or DELETE endpoints are similarly misconfigured, attackers could potentially change sensitive options without authentication.

Recon for Larger Attacks: Data can be used for social engineering, or to find other weaknesses.

- Regulatory Consequences: Leaking financial information, even indirectly, can have compliance implications.

Update the Plugin

If PayTR Taksit Tablosu has released a patch above version 1.3.1, update immediately. Always use the latest version.

Quick Patch

Until you update, disable public access to the plugin’s REST endpoints with a firewall or custom code. Block /wp-json/paytr/v1/* for non-administrative users.

Sample emergency patch (in functions.php)

add_filter('rest_endpoints', function($endpoints){
    if (isset($endpoints['/paytr/v1/table'])) {
        $endpoints['/paytr/v1/table'][]['permission_callback'] = function() {
            return current_user_can('manage_options'); 
        };
    }
    return $endpoints;
});

References

- NIST CVE-2023-47847 details
- PayTR plugin listing (WordPress.org)
- WordPress REST API: Permission Callbacks

Merchants: Periodically audit your site for plugins with open endpoints.

If you’re running a WordPress shop, take action!
Update vulnerable plugins, and remember: keeping an eye on plugin-related CVEs saves you money and reputation.


Have more tips or stories about API endpoint vulnerabilities? Post your comments and let’s build a safer web!

Timeline

Published on: 12/09/2024 13:15:32 UTC